Passwordless Login

Passwordless Login streamlines the authentication process by enabling users to access their accounts without a password. Instead of relying on traditional credentials, users receive a secure link or a One-Time Password (OTP) via email or phone. Users can securely log in by verifying the link or OTP, improving convenience and security. This approach eliminates the need to remember complex passwords, providing a smoother, more user-friendly login experience.

How It Works

The user enters their registered email or phone number.
A login link or OTP is sent to their email or phone.
The user clicks the link or enters the OTP.
Upon successful verification, they are logged in.

📌 Note: Users must first register with a password. Afterward, they can log in using their link or OTP.

Key Features

Frictionless Login: Enables seamless login without needing to remember passwords.
Enhanced Security: This reduces the risk of password theft or breaches.
Improved User Experience: Provides a hassle-free passwordless auth process.
Alternative Authentication: Useful when users forget passwords or prefer OTP-based logins.

Configurations

Here's how to enable and configure Passwordless Login in your authentication settings in the admin console:

Passwordless Login Email configuration

This option sends a login link to the user's email, allowing them to log in by clicking the link.
You can configure an email provider to send emails to users. For detailed instructions on configuring the email provider and its usage, please refer to this documentation.
You can customize the email template to modify the content sent to users, ensuring it aligns with your requirements. For detailed instructions on configuring email templates, refer to this document.

Passwordless Login Phone configuration

In this option, an OTP is sent to the registered phone number, which the user can use to log in.
You can set up an SMS provider to send messages to users containing the OTP. For detailed instructions on configuring the SMS provider and its usage, please refer to this documentation.
You can customize the SMS template to tailor the content sent to users according to your requirements. For detailed instructions on SMS template configuration, refer to this document.

Integration Guide

The LoginRadius Identity Platform offers multiple implementation methodologies, enabling you to customize customer flows and select the passwordless login integration method that best suits your requirements.

Passwordless Auth login interface setup using javascript

Step 1: Include the JavaScript Library

Add the following script to your HTML file in the <head> tag:

<script src='https://auth.lrcontent.com/v2/LoginRadiusV2.js' type='text/javascript'></script>

Step 2:Initialize the LoginRadiusV2 Object

Set up your LoginRadius configuration in the <head> tag:

<script>
var commonOptions = {};
commonOptions.apiKey = "<your loginradius API key>";
commonOptions.appName = "<LoginRadius tenant name>";
commonOptions.instantLinkLogin = true;
commonOptions.instantOTPLogin = true;
var LRObject = new LoginRadiusV2(commonOptions);
</script>

These two options enable the display of the passwordless login feature for both methods:

commonOptions.instantLinkLogin = true;
commonOptions.instantOTPLogin = true;

Step 3: Load the Passwordless Login Interface and Validate Result

Add the following script before closing the </head> tag:

<script>
var login_options = {};
login_options.container = 'login-container';
login_options.onSuccess = function(response) { console.log(response); };
login_options.onError = function(errors) { console.log(errors); };
LRObject.util.ready(function() { LRObject.init('login', login_options); });

// Validate OTP
var passwordlessloginvalidate_options = {};
passwordlessloginvalidate_options.onSuccess = function(response) { console.log(response); };
passwordlessloginvalidate_options.onError = function(errors) { console.log(errors); };
LRObject.util.ready(function() { LRObject.init('passwordlessLoginValidate', passwordlessloginvalidate_options); });
</script>

Step 4: Include the Login Container

Insert the following code within the <body> tag to add the login container div:

<div id="login-container"></div>

User Registration

Auth User Registration by Email: Register users using their email and password.

For detailed information on User Registration, please refer to this document.

User Login

After registration, users can log in using Passwordless Login via one of the following options:

Option 1: Login via Registered Email

Passwordless Login By Email API: This API sends a Passwordless Login verification link to the specified email ID.

Option 2: Login via Phone

Passwordless Login by Phone API: This API sends a One-Time Passcode (OTP) if the account has a verified Phone ID.

Please refer to this document for detailed information on the Passwordless Login API.

User Verification

After the user requests a link or OTP, verify their account using the following APIs:

Passwordless Login Email Verification: This API is used to verify the Passwordless Login verification link.

Passwordless Login Phone Verification: This API verifies an account by OTP and allows the customer to log in.

Upon successful account verification, the response will include the complete user profile.

MFA with Passwordless Login

Passwordless Login can be combined with Multi-Factor Authentication (MFA) for enhanced security. The system automatically handles MFA requirements based on tenant and user-level configurations.

Compatible MFA Options: To make the passwordless login compatible with your MFA flow we recommend the following:

Passwordless Channel	Not Allowed as MFA	Allowed MFA Options
Email	Email OTP	Phone OTP, TOTP, Security Keys
Phone	Phone OTP	Email OTP, TOTP, Security Keys
Both Enabled	N/A	TOTP, Security Keys

API Behavior:

When MFA is required, Passwordless Login APIs (Email/Phone/Username) return a response containing SecondFactorAuthentication details:

{
    "SecondFactorAuthentication": {
        "SecondFactorAuthenticationToken": "b1fbbba5-2a5e-41a2-96da-c216df36e6f4",
        "ExpireIn": "2021-04-06T08:36:53.3005592Z",
        "QRCode": "http://chart.googleapis.com/chart?cht=qr&chs=150x150&chl=otpauth...",
        "IsEmailOtpAuthenticatorVerified": false,
        "IsOTPAuthenticatorVerified": false,
        // Additional MFA status fields...
    },
    "Profile": null,
    "access_token": "00000000-0000-0000-0000-000000000000",
    "expires_in": "0001-01-01T00:00:00"
}

If MFA is optional and not configured, or not enabled, the API returns the standard profile response with an access token.

Implementation Notes:

The same factor cannot be reused for both passwordless login and MFA.
Verification APIs support query parameters like duoredirecturi, emailtemplate2fa, and smstemplate2fa for customizing the redirect URI and email/SMS templates.
If users attempt to use the same channel for both factors, they are prompted to set up an additional method.

For detailed implementation, refer to the Multi-Factor Authentication documentation.

You can use any SDKs provided by LoginRadius based on your requirements for Passwordless Login SDK implementation. LoginRadius GitHub Repositories

Best Practices

Customize OTP messages to identify your app and reduce phishing risks.
Enforce limits on OTP retries and expiration time, and prevent reuse to block brute-force attempts.
Use secure and compliant email/SMS providers to ensure message deliverability and protection against spoofing.